🚇

How Does ngrok Work?

Exposing Local Servers to the Internet via Reverse Tunnel

The core of ngrok is the "reverse tunnel". The ngrok agent on your PC first establishes an outbound TCP/TLS connection to ngrok cloud servers. ngrok cloud assigns a public URL (e.g., abc123.ngrok.io) and forwards incoming HTTP requests through that tunnel to your local server. This is why you can expose local services to the internet without port forwarding or firewall configuration.

Architecture Diagram

🌍

External Client

Browser / Webhook

④ HTTP request →

☁️

ngrok Cloud

abc123.ngrok.io

Public URL assigned

⑤ tunnel forwarding

② outbound TLS

←

🚇 💻

My PC (behind firewall)

ngrok agent localhost:3000

Key point: ngrok agent opens an <strong>outbound connection first</strong>, so no firewall/NAT configuration needed

Flow Description

ngrok http 3000 executed
Agent establishes outbound TLS tunnel to ngrok cloud
Public URL (abc123.ngrok.io) assigned
External traffic arrives at public URL
ngrok cloud forwards to local via tunnel
Local response returns to external via tunnel

How It Works

ngrok agent runs locally (ngrok http 3000)

Agent establishes outbound TLS connection to ngrok cloud (reverse tunnel)

ngrok cloud assigns public URL (abc123.ngrok.io)

External client sends HTTP request to public URL

ngrok cloud forwards request to local server through tunnel

Local server response returns to external client through tunnel

Pros

✓ Works behind firewalls/NAT
✓ Instant public URL generation
✓ Automatic HTTPS support
✓ No port forwarding needed

Cons

✗ Dependency on ngrok cloud (single point of failure)
✗ Free plan limitations (session time, bandwidth)
✗ Additional latency (via cloud)
✗ Not suitable for production use

Use Cases

Webhook local development/debugging Testing local API from mobile apps Demos/presentations Remote access to IoT devices

🔌

WebSocket

Bidirectional Real-time Communication

→

← 🔗 Peer-to-Peer (P2P) 💬 How Does Slack Socket Mode Work? →